DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
L2TP - is it the router at fault?
- paul.clark
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
22 Feb 2018 15:28 #90838
by paul.clark
L2TP - is it the router at fault? was created by paul.clark
Hi Everyone
I'm stumped.
Here's my basic topology
LAN (192.168.*.*) - Server 2016 with 2 network cards running RRAS (192.168.1.1 and 10.0.0.2) - Vigor 2925 (10.0.0.1 and Internet address)
From the internet a client can connect to the RRAS VPN using SSPT fine. But I need Apple devices to connect so I'm also using L2TP (preshared key). These also connect fine.
However, Windows clients won't connect using L2TP (Preshared key) through the internet.
If I connect one of these Windows devices into the router using a 10.*.*.* address, it connects fine with L2TP or SSTP.
This leads me to think the router is somehow blocking the authentication.
On the router;
In VPN and Remote Access - Remote Access Control, none of the services are ticked.
NAT - Open Ports, ports 500(TCP/UDP), 4500(TCP/UDP) and I've even tried 1701 (TCP/UDP) are open to the servers 10.*.*.* address
Firewall - I've tried turning off Strict Security and Enabled 'Pass inbound fragmented large packets'. I've also tried disabling the call and data filters.
When I've checked the logs on the server, L2TP seems to authenticate but the username and password doesn't.
Any ideas???
I'm stumped.
Here's my basic topology
LAN (192.168.*.*) - Server 2016 with 2 network cards running RRAS (192.168.1.1 and 10.0.0.2) - Vigor 2925 (10.0.0.1 and Internet address)
From the internet a client can connect to the RRAS VPN using SSPT fine. But I need Apple devices to connect so I'm also using L2TP (preshared key). These also connect fine.
However, Windows clients won't connect using L2TP (Preshared key) through the internet.
If I connect one of these Windows devices into the router using a 10.*.*.* address, it connects fine with L2TP or SSTP.
This leads me to think the router is somehow blocking the authentication.
On the router;
In VPN and Remote Access - Remote Access Control, none of the services are ticked.
NAT - Open Ports, ports 500(TCP/UDP), 4500(TCP/UDP) and I've even tried 1701 (TCP/UDP) are open to the servers 10.*.*.* address
Firewall - I've tried turning off Strict Security and Enabled 'Pass inbound fragmented large packets'. I've also tried disabling the call and data filters.
When I've checked the logs on the server, L2TP seems to authenticate but the username and password doesn't.
Any ideas???
Please Log in or Create an account to join the conversation.
- paul.clark
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
22 Feb 2018 15:33 #90840
by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
PS.
I've also added a registry key change on the server to allow NAT-T. It makes no difference.
The LAN network card on the server doesn't have a Default Gateway but the external network card has the Default Gateway set to the router (10.0.0.1).
I've also added a registry key change on the server to allow NAT-T. It makes no difference.
The LAN network card on the server doesn't have a Default Gateway but the external network card has the Default Gateway set to the router (10.0.0.1).
Please Log in or Create an account to join the conversation.
- paul.clark
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
22 Feb 2018 16:17 #90844
by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
PPS
Alto tried disabling DoS on the router. Still no luck.
Alto tried disabling DoS on the router. Still no luck.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
22 Feb 2018 16:21 #90847
by hornbyp
Replied by hornbyp on topic Re: L2TP - is it the router at fault?
There's a Draytek article here:
https://www.draytek.com/en/faq/faq-vpn/vpn.others/how-to-set-up-vigor-router-to-pass-through-vpn-tunnel/
and something I recently stumbled upon in my 2860's Telnet interface ...
and something I recently stumbled upon in my 2860's Telnet interface ...
Code:
Valhalla> srv nat ipsecpass ?
%% srv nat ipsecpass [options]
%% on : Enabled IPSec ESP tunnel pass-thru and IKE src_port:500 preservation.
%% off : Disabled IPSec ESP tunnel pass-thru and IKE src_port:500 preservation.
%% status : Check status.
Valhalla> srv nat ipsecpass status
%% Status: IPsec ESP pass-thru and IKE src_port:500 preservation is OFF.
Valhalla>
Please Log in or Create an account to join the conversation.
- paul.clark
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
27 Feb 2018 11:19 #90883
by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
Here's the current value;
GEV_Hull> srv nat ipsecpass status
%% Status: IPsec ESP pass-thru and IKE src_port:500 preservation is ON.
GEV_Hull>
I'm pulling my hair out!!!
GEV_Hull> srv nat ipsecpass status
%% Status: IPsec ESP pass-thru and IKE src_port:500 preservation is ON.
GEV_Hull>
I'm pulling my hair out!!!
Please Log in or Create an account to join the conversation.
- paul.clark
- Topic Author
- Offline
- New Member
Less
More
- Posts: 8
- Thank you received: 0
27 Feb 2018 11:20 #90884
by paul.clark
Replied by paul.clark on topic Re: L2TP - is it the router at fault?
I've also updated the firmware on the router to the latest version.
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek